Asked by:

Auto-revoke all user certificates when user is terminated

Question

A customer wants to automatically revoke all certificates issued to a specific user when he/she quits. Seems like a logical thing to do.

The process of terminating a user is an existing FIM workflow. They have
FIM CM for certain types of certificates.

My guess is that the termination workflow in FIM needs to include a request by/to the
FIM CM Management Agent to ask the FIM CM to revoke all certificates issued to the AD user account that is beeing terminated.

Is this hard to accomplish? Can someone give me some basic steps on how this is accomplished? Unfortunately I'm not very familiar about how FIM and MAs works. Yet.

Another question: Can the FIM CM MA only revoke certificates that were issued via the
FIM CM Portal? Or can it also revoke certificates that FIM CM is not aware of (such as autoenrolled) or do I need to use the
Support for non-FIM CM certificate requestspolicy module on the CA for this to work?

All replies

Using FIM SyncEngine's classical (de)provisioning methods you can create a FIM CM Retire request in the FIM CM Portal within the deprovisioning cycle (for sample code look
here).
However, you cannot execute the request automatically with the FIM CM Management Agent. Additionally I can remember some other strange behavior in the past (see this
post).

To completely automate the auto-revoke process you should use instead FIM CM's Provisioning API. One - of many other ways - could be

When a AD user is deleted write this event to an operational text file

Have a service in place that frequently parses the text file

Use FIM CMs Provisioning API createRequest and
Retire methods (be aware this method only works with smartcard certificates) to revoke the certificates.

Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.